Advisories

Siemens SINEC INS: Web-Login zu Root-Shell

By 15. July 2026No Comments7 min read

As part of our security research, we identified an attack chain in Siemens SINEC INS that could be used to An authenticated web user can gain full root privileges on the underlying Linux system. In total, we identified four vulnerabilities. Two of them can be combined to form the attack chain described below.

SINEC INS provides core network services such as DHCP, DNS, NTP, RADIUS, and SFTP for industrial networks. An attacker with root privileges can thus control the core services of an entire network segment; the potential for damage is correspondingly high in an OT environment. Man-in-the-middle attacks can be carried out using manipulated DNS and DHCP responses; authentication can be bypassed via RADIUS; and time-dependent processes can be disrupted via NTP. Siemens has addressed these vulnerabilities with V1.0 SP2 Update 6. Operators using an older version should install the update as soon as possible.

Discovered Vulnerabilities

Product:

Siemens SINEC INS

Affected versions:

All versions prior to V1.0 SP2 Update 6

Found by:

Sixtus Leonhardsberger, Limes Security GmbH

CVSS v4.0 Score

CVE / Vendor ID:

CVE-2026-46746

OS Command Injection

CVSS v4.0 Score

CVE / Vendor ID:

CVE-2026-46748

Privilege escalation

CVSS v4.0 Score

CVE / Vendor ID:

CVE-2026-46747

Path Traversal

CVSS v4.0 Score

CVE / Vendor ID:

CVE-2026-46749

Weak Password Hashing

Attack Chain: From an Authenticated Web User to Root on the Operating System

The following description outlines the interaction between the two most serious vulnerabilities. Detailed exploit steps are intentionally not disclosed; the focus is on the underlying attack pattern.

Step 1 – Command Injection via the SFTP Endpoint (CVE-2026-46746)

SINEC INS provides an SFTP module in the web interface that can be used to create and manage directories. The PATCH endpoint /api/sftp/uploadFiles does not sufficiently validate the directory names passed to it. If an attacker creates a directory whose name contains a command substitution such as $(id), this name is stored unchanged in the file system. The order is critical here. The command is not executed when the directory is created but is first persisted as a directory name. Only when the directory is listed via GET /api/sftp/uploadFiles does the shell evaluate the command substitution. This constitutes a stored command injection, which leads to command execution on the Linux system in the context of the service user `sinecins`. The only prerequisite is a web UI account whose role includes permissions for the SFTP module (specifically, ` sftpRights ` Level 2). However, such an account remains unprivileged; sinecins does not have root privileges at this point. Therefore, the second step in the chain is required to gain full control of the system.

Step 2 – Privilege Escalation via Linux Capability (CVE-2026-46748)

The foothold as ” sinecins ” initially provides only the rights of an unprivileged service user. The actual privilege escalation is enabled by a configuration at the file system level: The binary ` /opt/sinecins/bin/sinecINSsftp ` is assigned the Linux capability ` cap_dac_override `, a case of Execution with Unnecessary Privileges (CWE-250). Under Linux, Discretionary Access Control (DAC) determines which users are allowed to read, write, or execute which files. The cap_dac_override capability bypasses these checks. A process possessing this capability may read and write any file, regardless of the set permissions. The core of the misconfiguration lies in the fact that this privileged binary can be started by the unprivileged service user `sinecins ` with a freely selectable configuration. ` sinecINSsftp ` is an FTP server that accepts any configuration file via a command-line parameter. If an attacker starts the server with a custom configuration, the process is granted the capability upon startup. This allows the attacker to read and overwrite any system files using standard FTP operations. From there, it is a short path to root. The FTP server can be used to create a cron job that runs as root and opens a reverse shell for the attacker. It is also possible to exploit /etc/passwd: The attacker reads the file, adds a backdoor account with UID 0, and writes it back. Logging in with this account then immediately grants a root shell.

The Big Picture

Taken in isolation, the individual vulnerabilities do not appear particularly critical: a stored command injection that initially affects only a service account, and a capability that can be exploited only locally. Together, however, they form a continuous attack chain from the authenticated web user all the way to root on a system that occupies a central position in the network.

Additional Findings

In addition to the attack chain described above, two further vulnerabilities were identified. A path traversal in the SFTP module’s directory listing (CVE-2026-46747) allows directories outside the intended path to be listed. In addition, the application’s password hashing uses a static, hard-coded salt and an insufficient number of iterations (CVE-2026-46749), making password hashes significantly easier to attack. Both issues have also been fixed in Update 6.

Conclusion

Network infrastructure components are often considered low priority in OT environments, even though their central position makes them a particularly attractive target for attacks. This case follows well-known patterns. The most critical scenarios rarely arise from a single vulnerability, but rather from a chain of vulnerabilities. Operators should therefore update to V1.0 SP2 Update 6 as soon as possible (see SSA-860189) and consistently restrict access to SINEC-INS instances to authorized, segmented network zones. This case also underscores that security audits should not be limited to PLC and SCADA systems but must also include the underlying infrastructure software.

Vendor Contact Timeline

Date Event
2026-01-30 The identified vulnerabilities in Siemens SINEC INS were reported to Siemens ProductCERT as part of a responsible disclosure.
2026-02-02 – 2026-05-18 Siemens analyzed the reported vulnerabilities, validated the findings, and developed the corresponding patches.
2026-05-18 Siemens ProductCERT informed us about the planned publication of a security advisory.
2026-06-09 Siemens published the security advisory SSA-860189 – Multiple Vulnerabilities in SINEC INS Before V1.0 SP2 Update 6 and released the corresponding security updates. [1]
2026-06-23 The vulnerabilities were additionally published by CISA in the alert ICSA-26-174-04. [2]
Share